Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1599
Views
5
Helpful
5
Replies

IPSec IKE PSK with IP peer address

Go to solution
fsebera
Level 4
Level 4

‎04-02-2021 08:10 AM

Cisco IOS-XE configuration supports multiple phase 1 crypto isakmp PSK options for ip address-peers.  We have a large number of IPSec peers (700+) and would like to use one PSK per network range instead of per peer or the same PSK for all peers with the 0.0.0.0 option.  I know this is not recommended especially with PSKs but this is my direction.  I’m looking for someone with experience with a setup like this (even with IKEv2) and asking how such a setup performed overall.  

 

Our Head-end routers are ASR1009-X and remote edge routers are ASR1002-x, ISR 4300 and 2951s with physical crypto cards installed.  This configuration is ikev1 which is deprecated and will migrate to ikev2 after this is ironed out. 

Ex:

crypto isakmp key key1 address 192.168.0.0 255.255.255.0

crypto isakmp key key2 address 172.16.0.0 255.255.255.0

crypto isakmp key key3 address 10.0.0.0 255.255.0.0

 

Thank you

Frank

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-02-2021 08:53 AM

@fsebera 

Yes the router cycles through until it finds a match on the IP for the key.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-02-2021 08:25 AM

@fsebera 

Yes what you propose will work fine, just use long complex random PSK.

 

If you migrate to IKEv2 then you have the option to use asymetric authentication (different local and remote authentication methods). Using FlexVPN also have the option to use PSK stored on AAA server (RADIUS), allowing you to centrally update the PSKs instead of reconfiguring the routers.

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Rob Ingram

‎04-02-2021 08:32 AM

Hi Rob,

 

Thank you for the quick reply. Yea my password is a bad example no doubt :)..., and unfortunately our Juniper boxes (I didn't mention) do not support asymmetric PSKs -yikeeeeeeessss.

 

In behind the curtains does the IOS just cycle through the multiple crypto ISAKMP key entries until it finds an IP address-peer match?

Thanks

Frank

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to fsebera

‎04-02-2021 08:54 AM

The reason I ask is most peers fall within the 3 defined ranges of:

192.168.0.0 /24

172.16.0.0 /24

10.0.0.0 /16

 

while other peers don't fall within a supernet at all - think ISP static addressing which will be covered by the 0.0.0.0 wild-card range.

Should the 0.0.0.0 range be added into the configuration last or is IOS smart enough to choose the most specific peer address first.

 

Thanks

Frank

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to fsebera

‎04-02-2021 09:23 AM

@fsebera 

It will use the most specific match. Use keyrings rather than defined under global configuration.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎04-02-2021 08:53 AM

@fsebera 

Yes the router cycles through until it finds a match on the IP for the key.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents